10-22-2009 02:14 AM - edited 03-10-2019 04:45 PM
Hello Everyone.
I'm not an expert in AAA Authentication that's why I'm here..
We 3 routers, 1 of which works with Authentication and the other 2 that don't.
We have configured the following:
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated.
The problem is that when I try to connect using the TACACS server username and password it gives me a generic error message the classic.
% Athentication Failed
But if I try the local username and password it works..
How come, it's not a problem of routing because the one that works uses the same exit point to reach the server as the one that doesn't, the only difference that exists is the IOS is different..
Can anyone point me in the right direction? Please and thank you
Solved! Go to Solution.
10-22-2009 07:31 AM
Did you check the shared secret key, on ACS NDG key over rites aaa-client key.
Make sure key is not an issue.
Regards,
~JG
10-23-2009 04:04 AM
Hi Mav,
Thanks for sharing the solution :)
That is why I asked you to run the debugs. Just wanted to share with you that whenever we have key mis-match issue.
We will see thses kind of debugs:
AUTHEN/START/LOGIN/ASCII queued
TAC+: AUTHEN/START/LOGIN/ASCII processed
TAC+: decrypt: pak is unencrypted but we have a key
TAC+: Unable to decrypt data from SERVER OR NAS.
TAC+: Closing TCP/IP 0x765C2C connection
OR TAC+: CHECK THE KEYS
Also, IOS should take the encrypted key. As fas as I know there is no known issue. make sure that you had the correct encrypted. It should work.
On the IOS, we should service password-encryption available.
Do let me know if you have any query.
HTH
JK
Plz rate helpful posts-
10-22-2009 02:33 AM
It seems that router is not able to reach tacacs. Since it is a layer 3 device you need to set up source interface for tacacs.
Ip tacacs source-interface x/y
Where source interface is the one that is listed in acs --> network configuration-->aaa client-->router ip .
ip tacacs source-interface
To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode. To disable use of the specified interface IP address, use the no form of this command.
ip tacacs source-interface subinterface-name
no ip tacacs source-interface
Regards,
~JG
Do rate helpful posts
10-22-2009 02:59 AM
Hello,
Thank you so much for your response.
We came accross that command as well, in fact it has been already applied.
ip tacacs source-interface Loopback0
When you say that we are not able to reach the tacacs server are you indicating a problem with routing?
The reason I ask is because 1 of the 3 routers work.
If I perfrom the show tacacs command I recieve the following:
Tacacs+ Server :
Socket opens: 370
Socket closes: 370
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 370
Total Packets Recv: 370
No current connection
Tacacs+ Server :
Socket opens: 146
Socket closes: 146
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 146
Total Packets Recv: 144
No current connection
This command leads me to believe that it is reachable no?
Mav
10-22-2009 04:00 AM
Hi Mav,
Looks like that authentication request is not reaching at tacacs that is why you are able to authenticate using local username & password. Since you've already defined "ip tacacs source-interface loopback0" on the router. You need to check the following:
1.] Are you able to ping the tacacs server?
2.] Are you able to telnet into it
router#telnet
3.] Do you have the same ip configured on the ACS > network configuration same as loopback0 interface.
4.] make sure that tacacs service is running > Go to system configuration > services control > and look at the bottom tabs.
If all of the above options are correctly configured/work then please help me with the following debugs:
debug aaa authentication
debug tacacs
term mon
Now, try to authenticate again so that we can generate debugs and post it here.
HTH
JK
Plz rate helpful posts-
10-22-2009 05:31 AM
Thanks for the reply,
1#:
Yes, able to ping the tacacs
2#
Yes, take a look:
#telnet x.x.x.x 49
Trying x.x.x.x, 49 ... Open
3#
Currently verifiying this! Will let you know!
4#
For step number 4, this needs to be done on the server correct? I don't have access to it our system admin does.
10-22-2009 05:44 AM
Hi,
Yes, I can see that you can ping and telnet the tacacs server. You're correct, both [3] and [4] steps can only be verified if we have access to ACS under network configuration and system configuration.
Please first run the debugs and then Also run this command on the router
router#test aaa group tacacs+
HTH
JK
Plz rate helpful posts-
10-22-2009 06:06 AM
I feel like we are getting close and all thanks to you!!
The output is as follows:
#test aaa group tacacs+ <__> <__> legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
PR
10-22-2009 07:31 AM
Did you check the shared secret key, on ACS NDG key over rites aaa-client key.
Make sure key is not an issue.
Regards,
~JG
10-22-2009 11:57 PM
I figured out what the problem was, it seems the IOS version that is running on the router didn't like the encrypted key.
when I inserted the non-encrypted version everything worked fine.
Thanks for all your help, sincerly.
Mav
10-23-2009 04:04 AM
Hi Mav,
Thanks for sharing the solution :)
That is why I asked you to run the debugs. Just wanted to share with you that whenever we have key mis-match issue.
We will see thses kind of debugs:
AUTHEN/START/LOGIN/ASCII queued
TAC+: AUTHEN/START/LOGIN/ASCII processed
TAC+: decrypt: pak is unencrypted but we have a key
TAC+: Unable to decrypt data from SERVER OR NAS.
TAC+: Closing TCP/IP 0x765C2C connection
OR TAC+: CHECK THE KEYS
Also, IOS should take the encrypted key. As fas as I know there is no known issue. make sure that you had the correct encrypted. It should work.
On the IOS, we should service password-encryption available.
Do let me know if you have any query.
HTH
JK
Plz rate helpful posts-
05-07-2010 03:01 AM
Hi,
May I check with you what do you mean by inserting a non-encrypted key? I'm also seeing the same problem as yours. Please advise.
thanks.
wk
09-28-2015 04:58 PM
I have the same dude: hat do you mean by inserting a non-encrypted key?
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide